IPA: attempt to create a certificate profile & ACL
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard
parent
c1014c4a8c
commit
d208e3a087
2 changed files with 210 additions and 1 deletions
|
|
@ -208,7 +208,7 @@
|
||||||
# failed_when: "'already exists' not in output.stderr and output.rc != 0"
|
# failed_when: "'already exists' not in output.stderr and output.rc != 0"
|
||||||
|
|
||||||
# Set the default value back
|
# Set the default value back
|
||||||
- name: Disable default permissions so we don't break our privacy policy
|
- name: Restore the default permission on user addressbook attributes
|
||||||
command:
|
command:
|
||||||
argv:
|
argv:
|
||||||
- ipa
|
- ipa
|
||||||
|
|
@ -247,6 +247,101 @@
|
||||||
- config
|
- config
|
||||||
when: ipa_initial
|
when: ipa_initial
|
||||||
|
|
||||||
|
# Certificate generation
|
||||||
|
- name: Make a directory to store certificate profiles
|
||||||
|
file:
|
||||||
|
path: /etc/ipa/certprofiles
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- ipa/server
|
||||||
|
- config
|
||||||
|
|
||||||
|
- name: Warn admins that this is not the canonical source
|
||||||
|
copy:
|
||||||
|
dest: /etc/ipa/certprofiles/README
|
||||||
|
content: "This is just a dump of the server values, which are accessible with ipa certprofile-find"
|
||||||
|
tags:
|
||||||
|
- ipa/server
|
||||||
|
- config
|
||||||
|
|
||||||
|
#- name: Check if we should import or update the certificate profile
|
||||||
|
# stat:
|
||||||
|
# path: /etc/ipa/certprofiles/userCerts.conf
|
||||||
|
# register: st_profile
|
||||||
|
|
||||||
|
- name: Copy the certificate profile for users
|
||||||
|
template:
|
||||||
|
src: userCerts.conf
|
||||||
|
dest: /etc/ipa/certprofiles/userCerts.conf
|
||||||
|
tags:
|
||||||
|
- ipa/server
|
||||||
|
- config
|
||||||
|
|
||||||
|
- name: Create the certificate profile
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- ipa
|
||||||
|
- certprofile-import
|
||||||
|
- userCerts
|
||||||
|
- --desc=Profile for user certificates
|
||||||
|
- --store=true
|
||||||
|
- --file=/etc/ipa/certprofiles/userCerts.conf
|
||||||
|
tags:
|
||||||
|
- ipa/server
|
||||||
|
- config
|
||||||
|
#when: ipa_initial and not st_profile.stat.exists
|
||||||
|
when: ipa_initial
|
||||||
|
register: output
|
||||||
|
changed_when: "'Modified profile' in output.stdout"
|
||||||
|
failed_when: "'no modifications to be performed' not in output.stderr and output.rc != 0"
|
||||||
|
|
||||||
|
- name: Update the certificate profile
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- ipa
|
||||||
|
- certprofile-mod
|
||||||
|
- userCerts
|
||||||
|
- --desc=Profile for user certificates
|
||||||
|
- --store=true
|
||||||
|
- --file=/etc/ipa/certprofiles/userCerts.conf
|
||||||
|
tags:
|
||||||
|
- ipa/server
|
||||||
|
- config
|
||||||
|
#when: ipa_initial and st_profile.stat.exists
|
||||||
|
when: ipa_initial
|
||||||
|
register: update_output
|
||||||
|
changed_when: "'Modified profile' in output.stdout"
|
||||||
|
failed_when: "'no modifications to be performed' not in output.stderr and output.rc != 0"
|
||||||
|
|
||||||
|
# Create a new ACL linking the new profile and ipausers group (that all users are members of)
|
||||||
|
- name: Create the CA ACL for the new certificate profile
|
||||||
|
command: ipa caacl-add userCerts
|
||||||
|
tags:
|
||||||
|
- ipa/server
|
||||||
|
- config
|
||||||
|
when: ipa_initial
|
||||||
|
register: output
|
||||||
|
changed_when: "'already exists' not in output.stdout"
|
||||||
|
failed_when: "'already exists' not in output.stdout and output.rc != 0"
|
||||||
|
- name: Add the ipausers group to the CA ACL
|
||||||
|
command: ipa caacl-add-user userCerts --group ipausers
|
||||||
|
tags:
|
||||||
|
- ipa/server
|
||||||
|
- config
|
||||||
|
when: ipa_initial
|
||||||
|
register: output
|
||||||
|
changed_when: "'already exists' not in output.stdout"
|
||||||
|
failed_when: "'already exists' not in output.stdout and output.rc != 0"
|
||||||
|
- name: Add the ipausers group to the CA ACL
|
||||||
|
command: ipa caacl-add-profile userCerts --certprofile userCerts
|
||||||
|
tags:
|
||||||
|
- ipa/server
|
||||||
|
- config
|
||||||
|
when: ipa_initial
|
||||||
|
register: output
|
||||||
|
changed_when: "'already exists' not in output.stdout"
|
||||||
|
failed_when: "'already exists' not in output.stdout and output.rc != 0"
|
||||||
|
|
||||||
# Noggin user setup
|
# Noggin user setup
|
||||||
|
|
||||||
- name: Register the proper noggin admin password
|
- name: Register the proper noggin admin password
|
||||||
|
|
|
||||||
114
roles/ipa/server/templates/userCerts.conf
Normal file
114
roles/ipa/server/templates/userCerts.conf
Normal file
|
|
@ -0,0 +1,114 @@
|
||||||
|
profileId=userCerts
|
||||||
|
name=User certificate enrollment
|
||||||
|
desc=This certificate profile is for user certificates.
|
||||||
|
visible=true
|
||||||
|
enable=true
|
||||||
|
enableBy=admin
|
||||||
|
auth.instance_id=raCertAuth
|
||||||
|
classId=caEnrollImpl
|
||||||
|
input.list=i1,i2
|
||||||
|
input.i1.class_id=certReqInputImpl
|
||||||
|
input.i2.class_id=submitterInfoInputImpl
|
||||||
|
output.list=o1
|
||||||
|
output.o1.class_id=certOutputImpl
|
||||||
|
policyset.list=serverCertSet
|
||||||
|
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
|
||||||
|
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
||||||
|
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
|
||||||
|
policyset.serverCertSet.1.constraint.params.accept=true
|
||||||
|
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
|
||||||
|
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
|
||||||
|
policyset.serverCertSet.1.default.name=Subject Name Default
|
||||||
|
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O={{ ipa_realm }}
|
||||||
|
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
|
||||||
|
policyset.serverCertSet.2.constraint.name=Validity Constraint
|
||||||
|
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
|
||||||
|
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
|
||||||
|
policyset.serverCertSet.2.constraint.params.range=740
|
||||||
|
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
|
||||||
|
policyset.serverCertSet.2.default.name=Validity Default
|
||||||
|
policyset.serverCertSet.2.default.params.range=731
|
||||||
|
policyset.serverCertSet.2.default.params.startTime=0
|
||||||
|
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
|
||||||
|
policyset.serverCertSet.3.constraint.name=Key Constraint
|
||||||
|
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
|
||||||
|
policyset.serverCertSet.3.constraint.params.keyType=RSA
|
||||||
|
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
|
||||||
|
policyset.serverCertSet.3.default.name=Key Default
|
||||||
|
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
|
||||||
|
policyset.serverCertSet.4.constraint.name=No Constraint
|
||||||
|
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
|
||||||
|
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
|
||||||
|
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
|
||||||
|
policyset.serverCertSet.5.constraint.name=No Constraint
|
||||||
|
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
|
||||||
|
policyset.serverCertSet.5.default.name=AIA Extension Default
|
||||||
|
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
|
||||||
|
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
|
||||||
|
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca{{ env_suffix }}.fedoraproject.org/ca/ocsp
|
||||||
|
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
||||||
|
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
|
||||||
|
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
|
||||||
|
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
|
||||||
|
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
|
||||||
|
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
|
||||||
|
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
|
||||||
|
policyset.serverCertSet.6.default.name=Key Usage Default
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageCritical=true
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
|
||||||
|
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
|
||||||
|
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
|
||||||
|
policyset.serverCertSet.7.constraint.name=No Constraint
|
||||||
|
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
|
||||||
|
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
|
||||||
|
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
|
||||||
|
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
|
||||||
|
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
|
||||||
|
policyset.serverCertSet.8.constraint.name=No Constraint
|
||||||
|
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
|
||||||
|
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
|
||||||
|
policyset.serverCertSet.8.default.name=Signing Alg
|
||||||
|
policyset.serverCertSet.8.default.params.signingAlg=-
|
||||||
|
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
|
||||||
|
policyset.serverCertSet.9.constraint.name=No Constraint
|
||||||
|
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
|
||||||
|
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
|
||||||
|
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
|
||||||
|
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
|
||||||
|
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
|
||||||
|
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
|
||||||
|
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
|
||||||
|
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca{{ env_suffix }}.fedoraproject.org/ipa/crl/MasterCRL.bin
|
||||||
|
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
|
||||||
|
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
|
||||||
|
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
|
||||||
|
policyset.serverCertSet.10.constraint.name=No Constraint
|
||||||
|
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
|
||||||
|
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
|
||||||
|
policyset.serverCertSet.10.default.params.critical=false
|
||||||
|
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
|
||||||
|
policyset.serverCertSet.11.constraint.name=No Constraint
|
||||||
|
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
|
||||||
|
policyset.serverCertSet.11.default.name=User Supplied Extension Default
|
||||||
|
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
|
||||||
|
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
|
||||||
|
policyset.serverCertSet.12.constraint.name=No Constraint
|
||||||
|
policyset.serverCertSet.12.default.class_id=userExtensionDefaultImpl
|
||||||
|
policyset.serverCertSet.12.default.name=IECUserRoles Extension Default
|
||||||
|
policyset.serverCertSet.12.default.params.userExtOID=1.2.840.10070.8.1
|
||||||
Loading…
Add table
Add a link
Reference in a new issue